Azure built-in roles for Hybrid + multicloud

This article lists the Azure built-in roles in the Hybrid + multicloud category.

Azure Resource Bridge Deployment Role

Azure Resource Bridge Deployment Role

Actions Description
Microsoft.Authorization/roleassignments/read Get information about a role assignment.
Microsoft.AzureStackHCI/Register/Action Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources.
Microsoft.ResourceConnector/register/action Registers the subscription for Appliances resource provider and enables the creation of Appliance.
Microsoft.ResourceConnector/appliances/read Gets an Appliance resource
Microsoft.ResourceConnector/appliances/write Creates or Updates Appliance resource
Microsoft.ResourceConnector/appliances/delete Deletes Appliance resource
Microsoft.ResourceConnector/locations/operationresults/read Get result of Appliance operation
Microsoft.ResourceConnector/locations/operationsstatus/read Get result of Appliance operation
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action Get an appliance cluster user credential
Microsoft.ResourceConnector/appliances/listKeys/action Get an appliance cluster customer user keys
Microsoft.ResourceConnector/appliances/upgradeGraphs/read Gets the upgrade graph of Appliance cluster
Microsoft.ResourceConnector/telemetryconfig/read Get Appliances telemetry config utilized by Appliances CLI
Microsoft.ResourceConnector/operations/read Gets list of Available Operations for Appliances
Microsoft.ExtendedLocation/register/action Registers the subscription for Custom Location resource provider and enables the creation of Custom Location.
Microsoft.ExtendedLocation/customLocations/deploy/action Deploy permissions to a Custom Location resource
Microsoft.ExtendedLocation/customLocations/read Gets an Custom Location resource
Microsoft.ExtendedLocation/customLocations/write Creates or Updates Custom Location resource
Microsoft.ExtendedLocation/customLocations/delete Deletes Custom Location resource
Microsoft.HybridConnectivity/register/action Register the subscription for Microsoft.HybridConnectivity
Microsoft.Kubernetes/register/action Registers Subscription with Microsoft.Kubernetes resource provider
Microsoft.KubernetesConfiguration/register/action Registers subscription to Microsoft.KubernetesConfiguration resource provider.
Microsoft.KubernetesConfiguration/extensions/write Creates or updates extension resource.
Microsoft.KubernetesConfiguration/extensions/read Gets extension instance resource.
Microsoft.KubernetesConfiguration/extensions/delete Deletes extension instance resource.
Microsoft.KubernetesConfiguration/extensions/operations/read Gets Async Operation status.
Microsoft.KubernetesConfiguration/namespaces/read Get Namespace Resource
Microsoft.KubernetesConfiguration/operations/read Gets available operations of the Microsoft.KubernetesConfiguration resource provider.
Microsoft.GuestConfiguration/guestConfigurationAssignments/read Get guest configuration assignment.
Microsoft.HybridContainerService/register/action Register the subscription for Microsoft.HybridContainerService
Microsoft.HybridContainerService/kubernetesVersions/read Lists the supported kubernetes versions from the underlying custom location
Microsoft.HybridContainerService/kubernetesVersions/write Puts the kubernetes version resource type
Microsoft.HybridContainerService/skus/read Lists the supported VM SKUs from the underlying custom location
Microsoft.HybridContainerService/skus/write Puts the VM SKUs resource type
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.AzureStackHCI/StorageContainers/Write Creates/Updates storage containers resource
Microsoft.AzureStackHCI/StorageContainers/Read Gets/Lists storage containers resource
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Azure Resource Bridge Deployment Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/7b1f81f9-4196-4058-8aae-762e593270df",
  "name": "7b1f81f9-4196-4058-8aae-762e593270df",
  "permissions": [
    {
      "actions": [
        "Microsoft.Authorization/roleassignments/read",
        "Microsoft.AzureStackHCI/Register/Action",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/appliances/upgradeGraphs/read",
        "Microsoft.ResourceConnector/telemetryconfig/read",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.HybridContainerService/register/action",
        "Microsoft.HybridContainerService/kubernetesVersions/read",
        "Microsoft.HybridContainerService/kubernetesVersions/write",
        "Microsoft.HybridContainerService/skus/read",
        "Microsoft.HybridContainerService/skus/write",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Resource Bridge Deployment Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI Administrator

Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader

Actions Description
Microsoft.AzureStackHCI/register/action Registers the subscription for the Azure Stack HCI resource provider and enables the creation of Azure Stack HCI resources.
Microsoft.AzureStackHCI/Unregister/Action Unregisters the subscription for the Azure Stack HCI resource provider.
Microsoft.AzureStackHCI/clusters/*
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read Gets/Lists a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read Gets/Lists security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/Write Creates/Updates a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write Creates/Updates security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete Deletes a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete Deletes a security rule resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action Joins network security group resource
Microsoft.HybridCompute/register/action Registers the subscription for the Microsoft.HybridCompute Resource Provider
Microsoft.GuestConfiguration/register/action Registers the subscription for the Microsoft.GuestConfiguration resource provider.
Microsoft.GuestConfiguration/guestConfigurationAssignments/read Get guest configuration assignment.
Microsoft.Resources/subscriptions/resourceGroups/write Creates or updates a resource group.
Microsoft.Resources/subscriptions/resourceGroups/delete Deletes a resource group and all its resources.
Microsoft.HybridConnectivity/register/action Register the subscription for Microsoft.HybridConnectivity
Microsoft.Authorization/roleAssignments/write Create a role assignment at the specified scope.
Microsoft.Authorization/roleAssignments/delete Delete a role assignment at the specified scope.
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Resources/deployments/* Create and manage a deployment
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/subscriptions/read Gets the list of subscriptions.
Microsoft.Management/managementGroups/read List management groups for the authenticated user.
Microsoft.AzureStackHCI/*
Microsoft.Insights/AlertRules/Write Create or update a classic metric alert
Microsoft.Insights/AlertRules/Delete Delete a classic metric alert
Microsoft.Insights/AlertRules/Read Read a classic metric alert
Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated
Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved
Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled
Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident
Microsoft.Resources/subscriptions/resourcegroups/deployments/read Gets or lists deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/write Creates or updates an deployment.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Resources/subscriptions/read Gets the list of subscriptions.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.HybridCompute/machines/read Read any Azure Arc machines
Microsoft.HybridCompute/machines/write Writes an Azure Arc machines
Microsoft.HybridCompute/machines/delete Deletes an Azure Arc machines
Microsoft.HybridCompute/machines/UpgradeExtensions/action Upgrades Extensions on Azure Arc machines
Microsoft.HybridCompute/machines/assessPatches/action Assesses any Azure Arc machines to get missing software patches
Microsoft.HybridCompute/machines/installPatches/action Installs patches on any Azure Arc machines
Microsoft.HybridCompute/machines/extensions/read Reads any Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/write Installs or Updates an Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/delete Deletes an Azure Arc extensions
Microsoft.HybridCompute/operations/read Read all Operations for Azure Arc for Servers
Microsoft.HybridCompute/locations/operationresults/read Reads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/locations/operationstatus/read Reads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/machines/patchAssessmentResults/read Reads any Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read Reads any Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read Reads any Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read Reads any Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read Reads the status of an update center operation on machines
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read Read any Azure Arc machines's Hybrid Identity Metadata
Microsoft.HybridCompute/osType/agentVersions/read Read all Azure Connected Machine Agent versions available
Microsoft.HybridCompute/osType/agentVersions/latest/read Read the latest Azure Connected Machine Agent version
Microsoft.HybridCompute/machines/runcommands/read Reads any Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/write Installs or Updates an Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/delete Deletes an Azure Arc runcommands
Microsoft.HybridCompute/machines/licenseProfiles/read Reads any Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write Installs or Updates an Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete Deletes an Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read Reads any Azure Arc licenses
Microsoft.HybridCompute/licenses/write Installs or Updates an Azure Arc licenses
Microsoft.HybridCompute/licenses/delete Deletes an Azure Arc licenses
Microsoft.ResourceConnector/register/action Registers the subscription for Appliances resource provider and enables the creation of Appliance.
Microsoft.ResourceConnector/appliances/read Gets an Appliance resource
Microsoft.ResourceConnector/appliances/write Creates or Updates Appliance resource
Microsoft.ResourceConnector/appliances/delete Deletes Appliance resource
Microsoft.ResourceConnector/locations/operationresults/read Get result of Appliance operation
Microsoft.ResourceConnector/locations/operationsstatus/read Get result of Appliance operation
Microsoft.ResourceConnector/appliances/listClusterUserCredential/action Get an appliance cluster user credential
Microsoft.ResourceConnector/appliances/listKeys/action Get an appliance cluster customer user keys
Microsoft.ResourceConnector/operations/read Gets list of Available Operations for Appliances
Microsoft.ExtendedLocation/register/action Registers the subscription for Custom Location resource provider and enables the creation of Custom Location.
Microsoft.ExtendedLocation/customLocations/read Gets an Custom Location resource
Microsoft.ExtendedLocation/customLocations/deploy/action Deploy permissions to a Custom Location resource
Microsoft.ExtendedLocation/customLocations/write Creates or Updates Custom Location resource
Microsoft.ExtendedLocation/customLocations/delete Deletes Custom Location resource
Microsoft.EdgeMarketplace/offers/read Get a Offer
Microsoft.EdgeMarketplace/publishers/read Get a Publisher
Microsoft.Kubernetes/register/action Registers Subscription with Microsoft.Kubernetes resource provider
Microsoft.KubernetesConfiguration/register/action Registers subscription to Microsoft.KubernetesConfiguration resource provider.
Microsoft.KubernetesConfiguration/extensions/write Creates or updates extension resource.
Microsoft.KubernetesConfiguration/extensions/read Gets extension instance resource.
Microsoft.KubernetesConfiguration/extensions/delete Deletes extension instance resource.
Microsoft.KubernetesConfiguration/extensions/operations/read Gets Async Operation status.
Microsoft.KubernetesConfiguration/namespaces/read Get Namespace Resource
Microsoft.KubernetesConfiguration/operations/read Gets available operations of the Microsoft.KubernetesConfiguration resource provider.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.AzureStackHCI/StorageContainers/Write Creates/Updates storage containers resource
Microsoft.AzureStackHCI/StorageContainers/Read Gets/Lists storage containers resource
Microsoft.HybridContainerService/register/action Register the subscription for Microsoft.HybridContainerService
NotActions
none
DataActions
none
NotDataActions
none
Condition
((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) Add or remove role assignments for the following roles:
Azure Connected Machine Resource Manager
Azure Connected Machine Resource Administrator
Azure Connected Machine Onboarding
Azure Stack HCI VM Reader
Azure Stack HCI VM Contributor
Azure Stack HCI Device Management Role
Azure Resource Bridge Deployment Role
Key Vault Secrets User
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants full access to the cluster and its resources, including the ability to register Azure Stack HCI and assign others as Azure Arc HCI VM Contributor and/or Azure Arc HCI VM Reader",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "name": "bda0d508-adf1-4af0-9c28-88919fc3ae06",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/register/action",
        "Microsoft.AzureStackHCI/Unregister/Action",
        "Microsoft.AzureStackHCI/clusters/*",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Write",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Write",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Delete",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Delete",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/join/action",
        "Microsoft.HybridCompute/register/action",
        "Microsoft.GuestConfiguration/register/action",
        "Microsoft.GuestConfiguration/guestConfigurationAssignments/read",
        "Microsoft.Resources/subscriptions/resourceGroups/write",
        "Microsoft.Resources/subscriptions/resourceGroups/delete",
        "Microsoft.HybridConnectivity/register/action",
        "Microsoft.Authorization/roleAssignments/write",
        "Microsoft.Authorization/roleAssignments/delete",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/deployments/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Management/managementGroups/read",
        "Microsoft.AzureStackHCI/*",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ResourceConnector/register/action",
        "Microsoft.ResourceConnector/appliances/read",
        "Microsoft.ResourceConnector/appliances/write",
        "Microsoft.ResourceConnector/appliances/delete",
        "Microsoft.ResourceConnector/locations/operationresults/read",
        "Microsoft.ResourceConnector/locations/operationsstatus/read",
        "Microsoft.ResourceConnector/appliances/listClusterUserCredential/action",
        "Microsoft.ResourceConnector/appliances/listKeys/action",
        "Microsoft.ResourceConnector/operations/read",
        "Microsoft.ExtendedLocation/register/action",
        "Microsoft.ExtendedLocation/customLocations/read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.ExtendedLocation/customLocations/write",
        "Microsoft.ExtendedLocation/customLocations/delete",
        "Microsoft.EdgeMarketplace/offers/read",
        "Microsoft.EdgeMarketplace/publishers/read",
        "Microsoft.Kubernetes/register/action",
        "Microsoft.KubernetesConfiguration/register/action",
        "Microsoft.KubernetesConfiguration/extensions/write",
        "Microsoft.KubernetesConfiguration/extensions/read",
        "Microsoft.KubernetesConfiguration/extensions/delete",
        "Microsoft.KubernetesConfiguration/extensions/operations/read",
        "Microsoft.KubernetesConfiguration/namespaces/read",
        "Microsoft.KubernetesConfiguration/operations/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.AzureStackHCI/StorageContainers/Write",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.HybridContainerService/register/action"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": [],
      "conditionVersion": "2.0",
      "condition": "((!(ActionMatches{'Microsoft.Authorization/roleAssignments/write'})) OR (@Request[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6})) AND ((!(ActionMatches{'Microsoft.Authorization/roleAssignments/delete'})) OR (@Resource[Microsoft.Authorization/roleAssignments:RoleDefinitionId] ForAnyOfAnyValues:GuidEquals{f5819b54-e033-4d82-ac66-4fec3cbf3f4c, cd570a14-e51a-42ad-bac8-bafd67325302, b64e21ea-ac4e-4cdf-9dc9-5b892992bee7, 4b3fe76c-f777-4d24-a2d7-b027b0f7b273, 874d1c73-6003-4e60-a13a-cb31ea190a85,865ae368-6a45-4bd1-8fbf-0d5151f56fc1,7b1f81f9-4196-4058-8aae-762e593270df,4633458b-17de-408a-b874-0445c86b69e6}))"
    }
  ],
  "roleName": "Azure Stack HCI Administrator",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI Device Management Role

Microsoft.AzureStackHCI Device Management Role

Actions Description
Microsoft.AzureStackHCI/Clusters/*
Microsoft.AzureStackHCI/EdgeDevices/*
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Microsoft.AzureStackHCI Device Management Role",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "name": "865ae368-6a45-4bd1-8fbf-0d5151f56fc1",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/Clusters/*",
        "Microsoft.AzureStackHCI/EdgeDevices/*",
        "Microsoft.Resources/subscriptions/resourceGroups/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI Device Management Role",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM Contributor

Grants permissions to perform all VM actions

Actions Description
Microsoft.AzureStackHCI/VirtualMachines/*
Microsoft.AzureStackHCI/virtualMachineInstances/*
Microsoft.AzureStackHCI/NetworkInterfaces/*
Microsoft.AzureStackHCI/VirtualHardDisks/*
Microsoft.AzureStackHCI/VirtualNetworks/Read Gets/Lists virtual networks resource
Microsoft.AzureStackHCI/VirtualNetworks/join/action Joins virtual networks resource
Microsoft.AzureStackHCI/LogicalNetworks/Read Gets/Lists logical networks resource
Microsoft.AzureStackHCI/LogicalNetworks/join/action Joins logical networks resource
Microsoft.AzureStackHCI/GalleryImages/Read Gets/Lists gallery images resource
Microsoft.AzureStackHCI/GalleryImages/deploy/action Deploys gallery images resource
Microsoft.AzureStackHCI/StorageContainers/Read Gets/Lists storage containers resource
Microsoft.AzureStackHCI/StorageContainers/deploy/action Deploys storage containers resource
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read Gets/Lists market place gallery images resource
Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action Deploys market place gallery images resource
Microsoft.AzureStackHCI/Clusters/Read Gets clusters
Microsoft.AzureStackHCI/Clusters/ArcSettings/Read Gets arc resource of HCI cluster
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read Gets/Lists a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read Gets/Lists security rule resource
Microsoft.Insights/AlertRules/Write Create or update a classic metric alert
Microsoft.Insights/AlertRules/Delete Delete a classic metric alert
Microsoft.Insights/AlertRules/Read Read a classic metric alert
Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated
Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved
Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled
Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident
Microsoft.Resources/deployments/read Gets or lists deployments.
Microsoft.Resources/deployments/write Creates or updates an deployment.
Microsoft.Resources/deployments/delete Deletes a deployment.
Microsoft.Resources/deployments/cancel/action Cancels a deployment.
Microsoft.Resources/deployments/validate/action Validates an deployment.
Microsoft.Resources/deployments/whatIf/action Predicts template deployment changes.
Microsoft.Resources/deployments/exportTemplate/action Export template for a deployment
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.Resources/subscriptions/resourcegroups/deployments/read Gets or lists deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/write Creates or updates an deployment.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Resources/subscriptions/read Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
Microsoft.HybridCompute/machines/read Read any Azure Arc machines
Microsoft.HybridCompute/machines/write Writes an Azure Arc machines
Microsoft.HybridCompute/machines/delete Deletes an Azure Arc machines
Microsoft.HybridCompute/machines/UpgradeExtensions/action Upgrades Extensions on Azure Arc machines
Microsoft.HybridCompute/machines/assessPatches/action Assesses any Azure Arc machines to get missing software patches
Microsoft.HybridCompute/machines/installPatches/action Installs patches on any Azure Arc machines
Microsoft.HybridCompute/machines/extensions/read Reads any Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/write Installs or Updates an Azure Arc extensions
Microsoft.HybridCompute/machines/extensions/delete Deletes an Azure Arc extensions
Microsoft.HybridCompute/operations/read Read all Operations for Azure Arc for Servers
Microsoft.HybridCompute/locations/operationresults/read Reads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/locations/operationstatus/read Reads the status of an operation on Microsoft.HybridCompute Resource Provider
Microsoft.HybridCompute/machines/patchAssessmentResults/read Reads any Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read Reads any Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read Reads any Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read Reads any Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/locations/updateCenterOperationResults/read Reads the status of an update center operation on machines
Microsoft.HybridCompute/machines/hybridIdentityMetadata/read Read any Azure Arc machines's Hybrid Identity Metadata
Microsoft.HybridCompute/osType/agentVersions/read Read all Azure Connected Machine Agent versions available
Microsoft.HybridCompute/osType/agentVersions/latest/read Read the latest Azure Connected Machine Agent version
Microsoft.HybridCompute/machines/runcommands/read Reads any Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/write Installs or Updates an Azure Arc runcommands
Microsoft.HybridCompute/machines/runcommands/delete Deletes an Azure Arc runcommands
Microsoft.HybridCompute/machines/licenseProfiles/read Reads any Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/write Installs or Updates an Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/licenseProfiles/delete Deletes an Azure Arc licenseProfiles
Microsoft.HybridCompute/licenses/read Reads any Azure Arc licenses
Microsoft.HybridCompute/licenses/write Installs or Updates an Azure Arc licenses
Microsoft.HybridCompute/licenses/delete Deletes an Azure Arc licenses
Microsoft.ExtendedLocation/customLocations/Read Gets an Custom Location resource
Microsoft.ExtendedLocation/customLocations/deploy/action Deploy permissions to a Custom Location resource
Microsoft.KubernetesConfiguration/extensions/read Gets extension instance resource.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to perform all VM actions",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/874d1c73-6003-4e60-a13a-cb31ea190a85",
  "name": "874d1c73-6003-4e60-a13a-cb31ea190a85",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/*",
        "Microsoft.AzureStackHCI/virtualMachineInstances/*",
        "Microsoft.AzureStackHCI/NetworkInterfaces/*",
        "Microsoft.AzureStackHCI/VirtualHardDisks/*",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/join/action",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/join/action",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/GalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/StorageContainers/deploy/action",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketPlaceGalleryImages/deploy/action",
        "Microsoft.AzureStackHCI/Clusters/Read",
        "Microsoft.AzureStackHCI/Clusters/ArcSettings/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/write",
        "Microsoft.Resources/deployments/delete",
        "Microsoft.Resources/deployments/cancel/action",
        "Microsoft.Resources/deployments/validate/action",
        "Microsoft.Resources/deployments/whatIf/action",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/write",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/machines/write",
        "Microsoft.HybridCompute/machines/delete",
        "Microsoft.HybridCompute/machines/UpgradeExtensions/action",
        "Microsoft.HybridCompute/machines/assessPatches/action",
        "Microsoft.HybridCompute/machines/installPatches/action",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/extensions/write",
        "Microsoft.HybridCompute/machines/extensions/delete",
        "Microsoft.HybridCompute/operations/read",
        "Microsoft.HybridCompute/locations/operationresults/read",
        "Microsoft.HybridCompute/locations/operationstatus/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/locations/updateCenterOperationResults/read",
        "Microsoft.HybridCompute/machines/hybridIdentityMetadata/read",
        "Microsoft.HybridCompute/osType/agentVersions/read",
        "Microsoft.HybridCompute/osType/agentVersions/latest/read",
        "Microsoft.HybridCompute/machines/runcommands/read",
        "Microsoft.HybridCompute/machines/runcommands/write",
        "Microsoft.HybridCompute/machines/runcommands/delete",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/write",
        "Microsoft.HybridCompute/machines/licenseProfiles/delete",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/licenses/write",
        "Microsoft.HybridCompute/licenses/delete",
        "Microsoft.ExtendedLocation/customLocations/Read",
        "Microsoft.ExtendedLocation/customLocations/deploy/action",
        "Microsoft.KubernetesConfiguration/extensions/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Contributor",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack HCI VM Reader

Grants permissions to view VMs

Actions Description
Microsoft.AzureStackHCI/VirtualMachines/Read Gets/Lists virtual machine resource
Microsoft.AzureStackHCI/virtualMachineInstances/Read Gets/Lists virtual machine instance resource
Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read Gets/Lists virtual machine extensions resource
Microsoft.AzureStackHCI/VirtualNetworks/Read Gets/Lists virtual networks resource
Microsoft.AzureStackHCI/LogicalNetworks/Read Gets/Lists logical networks resource
Microsoft.AzureStackHCI/NetworkInterfaces/Read Gets/Lists network interfaces resource
Microsoft.AzureStackHCI/VirtualHardDisks/Read Gets/Lists virtual hard disk resource
Microsoft.AzureStackHCI/StorageContainers/Read Gets/Lists storage containers resource
Microsoft.AzureStackHCI/GalleryImages/Read Gets/Lists gallery images resource
Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read Gets/Lists market place gallery images resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/Read Gets/Lists a network security group resource
Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read Gets/Lists security rule resource
Microsoft.HybridCompute/licenses/read Reads any Azure Arc licenses
Microsoft.HybridCompute/machines/extensions/read Reads any Azure Arc extensions
Microsoft.HybridCompute/machines/licenseProfiles/read Reads any Azure Arc licenseProfiles
Microsoft.HybridCompute/machines/patchAssessmentResults/read Reads any Azure Arc patchAssessmentResults
Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read Reads any Azure Arc patchAssessmentResults/softwarePatches
Microsoft.HybridCompute/machines/patchInstallationResults/read Reads any Azure Arc patchInstallationResults
Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read Reads any Azure Arc patchInstallationResults/softwarePatches
Microsoft.HybridCompute/machines/read Read any Azure Arc machines
Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read Reads any Azure Arc networkSecurityPerimeterConfigurations
Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read Read any Azure Arc privateEndpointConnections
Microsoft.HybridCompute/privateLinkScopes/read Read any Azure Arc privateLinkScopes
Microsoft.Insights/AlertRules/Write Create or update a classic metric alert
Microsoft.Insights/AlertRules/Delete Delete a classic metric alert
Microsoft.Insights/AlertRules/Read Read a classic metric alert
Microsoft.Insights/AlertRules/Activated/Action Classic metric alert activated
Microsoft.Insights/AlertRules/Resolved/Action Classic metric alert resolved
Microsoft.Insights/AlertRules/Throttled/Action Classic metric alert rule throttled
Microsoft.Insights/AlertRules/Incidents/Read Read a classic metric alert incident
Microsoft.Resources/deployments/read Gets or lists deployments.
Microsoft.Resources/deployments/exportTemplate/action Export template for a deployment
Microsoft.Resources/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.Resources/subscriptions/resourcegroups/deployments/read Gets or lists deployments.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read Gets or lists deployment operations.
Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read Gets or lists deployment operation statuses.
Microsoft.ResourceHealth/availabilityStatuses/read Gets the availability statuses for all resources in the specified scope
Microsoft.Authorization/*/read Read roles and role assignments
Microsoft.Resources/subscriptions/read Gets the list of subscriptions.
Microsoft.Resources/subscriptions/resourceGroups/read Gets or lists resource groups.
Microsoft.Resources/subscriptions/operationresults/read Get the subscription operation results.
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Grants permissions to view VMs",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "name": "4b3fe76c-f777-4d24-a2d7-b027b0f7b273",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStackHCI/VirtualMachines/Read",
        "Microsoft.AzureStackHCI/virtualMachineInstances/Read",
        "Microsoft.AzureStackHCI/VirtualMachines/Extensions/Read",
        "Microsoft.AzureStackHCI/VirtualNetworks/Read",
        "Microsoft.AzureStackHCI/LogicalNetworks/Read",
        "Microsoft.AzureStackHCI/NetworkInterfaces/Read",
        "Microsoft.AzureStackHCI/VirtualHardDisks/Read",
        "Microsoft.AzureStackHCI/StorageContainers/Read",
        "Microsoft.AzureStackHCI/GalleryImages/Read",
        "Microsoft.AzureStackHCI/MarketplaceGalleryImages/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/Read",
        "Microsoft.AzureStackHCI/NetworkSecurityGroups/SecurityRules/Read",
        "Microsoft.HybridCompute/licenses/read",
        "Microsoft.HybridCompute/machines/extensions/read",
        "Microsoft.HybridCompute/machines/licenseProfiles/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/read",
        "Microsoft.HybridCompute/machines/patchAssessmentResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/read",
        "Microsoft.HybridCompute/machines/patchInstallationResults/softwarePatches/read",
        "Microsoft.HybridCompute/machines/read",
        "Microsoft.HybridCompute/privateLinkScopes/networkSecurityPerimeterConfigurations/read",
        "Microsoft.HybridCompute/privateLinkScopes/privateEndpointConnections/read",
        "Microsoft.HybridCompute/privateLinkScopes/read",
        "Microsoft.Insights/AlertRules/Write",
        "Microsoft.Insights/AlertRules/Delete",
        "Microsoft.Insights/AlertRules/Read",
        "Microsoft.Insights/AlertRules/Activated/Action",
        "Microsoft.Insights/AlertRules/Resolved/Action",
        "Microsoft.Insights/AlertRules/Throttled/Action",
        "Microsoft.Insights/AlertRules/Incidents/Read",
        "Microsoft.Resources/deployments/read",
        "Microsoft.Resources/deployments/exportTemplate/action",
        "Microsoft.Resources/deployments/operations/read",
        "Microsoft.Resources/deployments/operationstatuses/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operations/read",
        "Microsoft.Resources/subscriptions/resourcegroups/deployments/operationstatuses/read",
        "Microsoft.ResourceHealth/availabilityStatuses/read",
        "Microsoft.Authorization/*/read",
        "Microsoft.Resources/subscriptions/read",
        "Microsoft.Resources/subscriptions/resourceGroups/read",
        "Microsoft.Resources/subscriptions/operationresults/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack HCI VM Reader",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Azure Stack Registration Owner

Lets you manage Azure Stack registrations.

Actions Description
Microsoft.AzureStack/edgeSubscriptions/read
Microsoft.AzureStack/registrations/products/*/action
Microsoft.AzureStack/registrations/products/read Gets the properties of an Azure Stack Marketplace product
Microsoft.AzureStack/registrations/read Gets the properties of an Azure Stack registration
NotActions
none
DataActions
none
NotDataActions
none
{
  "assignableScopes": [
    "/"
  ],
  "description": "Lets you manage Azure Stack registrations.",
  "id": "/providers/Microsoft.Authorization/roleDefinitions/6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "name": "6f12a6df-dd06-4f3e-bcb1-ce8be600526a",
  "permissions": [
    {
      "actions": [
        "Microsoft.AzureStack/edgeSubscriptions/read",
        "Microsoft.AzureStack/registrations/products/*/action",
        "Microsoft.AzureStack/registrations/products/read",
        "Microsoft.AzureStack/registrations/read"
      ],
      "notActions": [],
      "dataActions": [],
      "notDataActions": []
    }
  ],
  "roleName": "Azure Stack Registration Owner",
  "roleType": "BuiltInRole",
  "type": "Microsoft.Authorization/roleDefinitions"
}

Next steps